rotkonetworks · hitchhooker · Oct 3, 2024 · Oct 2, 2024 · Oct 3, 2024 · Oct 3, 2024
diff --git a/group_vars/all/secret_vault.yaml.encrypted b/group_vars/all/secret_vault.yaml.encrypted
diff --git a/group_vars/cumulus.yaml b/group_vars/cumulus.yaml
@@ -1,3 +1,4 @@
+---
 default_base_path: /opt/cumulus
 default_chain_spec_dl_url: https://raw.githubusercontent.com/paritytech/polkadot-sdk/master/cumulus/parachains/chain-specs/{{
   default_network }}.json

diff --git a/group_vars/peeringdb.yaml b/group_vars/peeringdb.yaml
diff --git a/group_vars/polkadot.yaml b/group_vars/polkadot.yaml
@@ -1,3 +1,4 @@
+---
 default_auxiliary_binary_path: /usr/libexec
 default_base_path: /opt/polkadot
 default_chain_spec: '{{ default_base_path }}/{{ default_network }}.json'

diff --git a/host_vars/rpc-asset-hub-paseo-02.yaml b/host_vars/rpc-asset-hub-paseo-02.yaml
@@ -25,7 +25,6 @@ default_secure_rpc_port: 42957
 default_prom_port: 7957
 zabbix_ext_port: 10957
 
-
 default_bootnode_domain: "boot-{{ default_network }}.rotko.net"
 default_bootnode_p2p_port: "{{ default_p2p_port + 10500 }}"
 default_bootnode_p2p_port_ws: "{{ default_p2p_port_ws + 10500 }}"

diff --git a/host_vars/rpc-paseo-02.yaml b/host_vars/rpc-paseo-02.yaml
@@ -28,7 +28,6 @@ default_secure_rpc_port: 42342
 default_prom_port: 7342
 zabbix_ext_port: 10342
 
-
 # default_bootnode_domain: "boot-{{ default_network }}.rotko.net"
 default_bootnode_domain: "pso16.rotko.net"
 default_bootnode_p2p_port: "{{ default_p2p_port + 10500 }}"

diff --git a/install_unlabored b/install_unlabored
diff --git a/playbooks/networkid_pk_backup.yaml b/playbooks/networkid_pk_backup.yaml
@@ -1,12 +1,12 @@
 ---
 - name: Manage and Backup Network ID Secret Key with genpeerid
   hosts: polkadot, cumulus, encointer, hydradx
-  gather_facts: true
-  become: true
+  gather_facts: True
+  become: True
   vars:
     install_dir: "/usr/local/bin"
     local_backup_dir: "/opt/backup"
    client_folder: "/opt" # ~/.local/share default for polkadot-sdk
    binary_name: "genpeerid"
    script_url: "https://raw.githubusercontent.com/rotkonetworks/genpeerid/master/scripts/install.sh"

@@ -17,6 +17,7 @@
       register: binary_stat
 
     - name: Ensure genpeerid is installed
+      when: not binary_stat.stat.exists
       block:
         - name: Create temporary directory for installation script
           ansible.builtin.tempfile:
@@ -34,7 +35,7 @@
           ansible.builtin.command:
             cmd: "{{ temp_dir.path }}/{{ binary_name }}.sh"
             chdir: "{{ temp_dir.path }}"
-          #  ignore_errors: true
+          #  ignore_errors: True
           register: script_output
 
         - name: Check installation success
@@ -47,7 +48,6 @@
           ansible.builtin.file:
             path: "{{ temp_dir.path }}"
             state: absent
-      when: not binary_stat.stat.exists
 
     - name: Ensure backup directory exists locally
       ansible.builtin.file:
@@ -60,7 +60,7 @@
       ansible.builtin.find:
         paths: "{{ client_folder }}"
         patterns: "secret_ed25519"
-        recurse: true
+        recurse: True
         excludes: "lost+found/*"
       register: secret_files
 
@@ -74,15 +74,15 @@
           when: secret_files.matched > 0
           loop_control:
             label: "{{ item.path }}"
-            pause: false
+            pause: False
 
         - name: Fetch secret file to local machine
           when: peerid.results | map(attribute='stdout') | list | length > 0
          ansible.builtin.fetch:
            src: "{{ item.item.path }}"
            dest: "{{ local_backup_dir }}/{{ ansible_hostname }}_{{ lookup('pipe', 'date +%Y%m%d%H%M%S') }}_{{ peerid.results | map(attribute='stdout') | join('_') }}.secret_ed25519"
            flat: yes
           loop: "{{ peerid.results }}"
           loop_control:
             label: "{{ item.item.path }}"
-            pause: false
+            pause: False
diff --git a/playbooks/proxmox_install_nodes_tools.yaml b/playbooks/proxmox_install_nodes_tools.yaml
diff --git a/playbooks/proxmox_install_vms.yaml b/playbooks/proxmox_install_vms.yaml
diff --git a/playbooks/update_sshd.yaml b/playbooks/update_sshd.yaml
@@ -2,13 +2,17 @@
 - name: Update sshd to latest version
   hosts: proxmox_nodes, proxmox_hosts
   gather_facts: False
-  become: true
+  become: True
   tasks:
     - name: Ensure package lists are up to date
       ansible.builtin.apt:
         update_cache: yes
 
-    - name: Upgrade openssh-server to latest version
+    - name: Perform dist-upgrade to ensure all packages, including OpenSSH, are up to date
+      ansible.builtin.apt:
+        upgrade: dist
+
+    - name: Ensure openssh-server is installed
       ansible.builtin.apt:
         name: openssh-server
-        state: latest
+        state: present
diff --git a/roles/proxmox_setup_nodes/tasks/main.yaml b/roles/proxmox_setup_nodes/tasks/main.yaml
@@ -1,51 +1,17 @@
 # Standards: 0.2
 ---
-# - name: Create predefined containers
-#   community.general.proxmox:
-#     api_user: "{{ proxmox_defaults.api_user }}"
-#     api_password: "{{ proxmox_defaults.api_password }}"
-#     api_host: "{{ proxmox_defaults.api_host }}"
-#     vmid: "{{ item.proxmox_config.vmid }}"
-#     hostname: "{{ item.proxmox_config.hostname }}"
-#     template: "{{ item.proxmox_config.template }}"
-#     netif: "{{ item.proxmox_config.netif }}"
-#     cores: "{{ item.proxmox_config.cores }}"
-#     memory: "{{ item.proxmox_config.memory }}"
-#     swap: "{{ item.proxmox_config.swap }}"
-#     password: "{{ item.proxmox_config.password }}"
-#     disk: "{{ item.proxmox_config.disk }}"
-#     mounts: "{{ item.proxmox_config.mounts }}"
-#     onboot: "{{ item.proxmox_config.onboot }}"
-#     unprivileged: "{{ item.proxmox_config.unprivileged }}"
-#     validate_certs: "{{ item.proxmox_config.validate_certs }}"
-#     description: "{{ item.proxmox_config.description }}"
-#     state: "{{ item.proxmox_config.state }}"
-#     features: "{{ item.proxmox_config.features }}"
-#   loop: "{{ lxc_nodes }}"
-#   when: lxc_nodes is defined
-#   register: container_creation_result
-#
-# - name: Start predefined nodes
-#   community.general.proxmox:
-#     api_user: "{{ proxmox_defaults.api_user }}"
-#     api_password: "{{ proxmox_defaults.api_password }}"
-#     api_host: "{{ proxmox_defaults.api_host }}"
-#     vmid: "{{ item.proxmox_config.vmid }}"
-#     state: "started"
-#   loop: "{{ lxc_nodes }}"
-#   when:
-#     - lxc_nodes is defined
-#     - "item.proxmox_config.state == 'present'"
-#   register: container_start_result
-
 - name: Create predefined containers
-  community.general.proxmox: "{{ proxmox_defaults | combine(item.proxmox_config) }}"
+  community.general.proxmox:
+    proxmox_defaults: "{{ proxmox_defaults | combine(item.proxmox_config) }}"
   loop: "{{ lxc_nodes }}"
   when: lxc_nodes is defined
   register: container_creation_result
 
 - name: Start predefined nodes
-  community.general.proxmox: "{{ proxmox_defaults | combine({'vmid': item.proxmox_config['vmid'], 'state': 'started'}) }}"
+  community.general.proxmox:
+    proxmox_defaults: "{{ proxmox_defaults }}"
+    vmid: "{{ item.proxmox_config['vmid'] }}"
+    state: "started"
   loop: "{{ lxc_nodes }}"
   when:
     - lxc_nodes is defined

diff --git a/roles/proxmox_setup_vms/defaults/main.yaml b/roles/proxmox_setup_vms/defaults/main.yaml
@@ -5,4 +5,4 @@ proxmox_defaults:
   api_token_id: "your_proxmox_token_id"
   api_token_secret: "your_proxmox_token_secret"
   api_host: "your.proxmox.host"
-  validate_certs: false
+  validate_certs: False
diff --git a/roles/setup_install_cumulus/tasks/main.yaml b/roles/setup_install_cumulus/tasks/main.yaml
@@ -37,7 +37,7 @@
     needs_custom_chain_spec: "{{ default_network in ['asset-hub-paseo', 'bridge-hub-paseo'] }}"
 
 - name: Check if the local chain spec file exists
-  stat:
+  ansible.builtin.stat:
     path: "{{ default_chain_spec }}"
   register: local_chain_spec
   when: needs_custom_chain_spec

diff --git a/roles/setup_install_nginx/defaults/main.yaml b/roles/setup_install_nginx/defaults/main.yaml
@@ -6,7 +6,7 @@ default_domain: "{{ host_name }}"
 # Note: Sensitive data like API tokens and Zone IDs should be in vault
 # cloudflare_zone_id: "{{ vault_cloudflare_zone_id }}"
 # cloudflare_api_token: "{{ vault_cloudflare_api_token }}"
-# cloudflare_certificate: "-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----" 
+# cloudflare_certificate: "-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----"
 # cloudflare_certificate_pk: "-----BEGIN PRIVATE KEY----- -----END PRIVATE KEY-----"
 cloudflare_origin_key_path: "/etc/nginx/ssl/cloudflare_origin.key"
 cloudflare_origin_pem_path: "/etc/nginx/ssl/cloudflare_origin.pem"

diff --git a/roles/setup_install_nginx/tasks/main.yaml b/roles/setup_install_nginx/tasks/main.yaml
@@ -6,7 +6,8 @@
       - python3-certbot-dns-cloudflare
     state: present
     update_cache: yes
-  become: true
+  become: True
+  become_user: root
 
 - name: Ensure Certbot secrets directory exists
   ansible.builtin.file:
@@ -15,7 +16,8 @@
     mode: '0700'
     owner: root
     group: root
-  become: true
+  become: True
+  become_user: root
 
 - name: Ensure Cloudflare credentials file exists
   ansible.builtin.copy:
@@ -25,16 +27,17 @@
     mode: '0600'
     owner: root
     group: root
-  become: true
+  become: True
+  become_user: root
 
 - name: Calculate days until expiration
-  set_fact:
+  ansible.builtin.set_fact:
     days_until_expiration: >
       {{ ((cert_info.not_after | default('1970-01-01T00:00:00Z') | to_datetime('%Y%m%d%H%M%SZ')) - (ansible_date_time.iso8601 | to_datetime('%Y-%m-%dT%H:%M:%SZ'))).days }}
   when: cert_info is defined and cert_info.not_after is defined
 
 - name: Renew Let's Encrypt certificate using DNS challenge
-  command: >
+  ansible.builtin.command: >
     certbot certonly --dns-cloudflare
     --dns-cloudflare-credentials /root/.secrets/certbot/cloudflare.ini
     -d {{ default_domain }}
@@ -45,7 +48,8 @@
     --agree-tos
     --email {{ default_certificate_email }}
     --deploy-hook "systemctl reload nginx"
-  become: true
+  become: True
+  become_user: root
   when: days_until_expiration is not defined or days_until_expiration | int < 30
 
 - name: Ensure NGINX SSL directory exists
@@ -55,7 +59,8 @@
     mode: '0755'
     owner: root
     group: root
-  become: true
+  become: True
+  become_user: root
 
 - name: Symlink Let's Encrypt certificates to NGINX SSL directory
   ansible.builtin.file:
@@ -66,37 +71,42 @@
   loop:
     - fullchain.pem
     - privkey.pem
-  become: true
+  become: True
+  become_user: root
   notify: Reload nginx
 
 - name: Configure NGINX for HTTPS
-  template:
+  ansible.builtin.template:
     src: "https-{{ default_node_type }}.conf.j2"
     dest: "/etc/nginx/sites-available/{{ default_domain }}"
     mode: '0644'
   notify: Reload nginx
-  become: true
+  become: True
+  become_user: root
 
 - name: Enable NGINX configuration
-  file:
+  ansible.builtin.file:
     src: "/etc/nginx/sites-available/{{ default_domain }}"
     dest: "/etc/nginx/sites-enabled/{{ default_domain }}"
     state: link
   notify: Reload nginx
-  become: true
+  become: True
+  become_user: root
 
 - name: Set up Certbot auto-renewal
-  cron:
+  ansible.builtin.cron:
     name: "Certbot renewal"
     job: "certbot renew --quiet --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/certbot/cloudflare.ini --deploy-hook 'systemctl reload nginx'"
     minute: "0"
     hour: "3"
     weekday: "1"
-  become: true
+  become: True
+  become_user: root
 
 - name: Check NGINX configuration
-  command: nginx -t
+  ansible.builtin.command: nginx -t
   register: nginx_config_check
-  changed_when: false
+  changed_when: False
   failed_when: nginx_config_check.rc != 0
-  become: true
+  become: True
+  become_user: root